Annual Computer Security Applications Conference (ACSAC) 2023

Prioritizing Remediation of Enterprise Hosts by Malware Execution Risk

Defending an enterprise network requires making prioritization decisions daily; one is deciding which compromised hosts to remediate (reimage). We study the utility of endpoint monitoring data to perform this prioritization, with the driving goal being to minimize "regret" as measured by future (next-week) malware execution on hosts whose remediation was deprioritized. Leveraging data gathered by the vendor of a major endpoint protection product, we show that it is possible to prioritize remediation by training a classifier that predicts imminent malware execution. Perhaps surprisingly, while it is possible to train on data collected across an array of enterprises to which endpoint protection is deployed, at least in the case of the endpoint protection vendor (itself a major, worldwide company), predictive performance for a single enterprise can be superior when training is restricted to the enterprise itself. Another advantage of the single-enterprise training set is the ease of combining different views of the hosts, such as via file-based and network-based monitoring, which can further improve the prediction of malware execution.

Andrew Chi
Cisco Systems

Blake Anderson
Cisco Systems

Michael K. Reiter
Duke University

Paper (ACM DL)